8589f1a0 |
% Clam AntiVirus: User Manual
% |
73e034df |
% Copyright (C) 2002 - 2007 Tomasz Kojm <tkojm*clamav.net> |
8589f1a0 |
% Version 0.2x corrected by Dennis Leeuw <dleeuw*made-it.com>
% Version 0.80 corrected by Tomasz Papszun <tomek*clamav.net>
%
% This program is free software; you can redistribute it and/or modify
% it under the terms of the GNU General Public License as published by
% the Free Software Foundation; either version 2 of the License, or
% (at your option) any later version.
%
% This program is distributed in the hope that it will be useful,
% but WITHOUT ANY WARRANTY; without even the implied warranty of
% MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
% GNU General Public License for more details.
%
% You should have received a copy of the GNU General Public License
% along with this program; if not, write to the Free Software |
48b7b4a7 |
% Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
% MA 02110-1301, USA. |
8589f1a0 |
\documentclass[a4paper,titlepage,12pt]{article}
\usepackage{amssymb}
\usepackage{pslatex}
\usepackage[dvips]{graphicx}
\usepackage{wrapfig}
\usepackage{boxedminipage}
\usepackage{url}
\usepackage{fancyhdr}
\usepackage{titlesec}
\addtolength{\hoffset}{-0.5cm}
\addtolength{\textwidth}{1cm}
\date{}
\usepackage{color}
\definecolor{grey1}{gray}{0.8}
\definecolor{grey2}{gray}{0.3}
% Based on Antonina Liedtke's article in Linux+ 6/2003
\def\greyp{%
\unitlength=1mm%
\begin{picture}(0,0)
\put(0,-1.5){\textcolor{grey1}{\rule{13.9cm}{5.3mm}}\textcolor{grey2}%
{\rule{9mm}{5.3mm}}\hss}
\end{picture}
}
\pagestyle{fancy}
\fancyhead{}
\fancyfoot{}
\renewcommand{\headrulewidth}{0pt}
\fancyhead[RO]{\textbf{\sffamily{{\textcolor{white}{\thepage}}~}}}
\fancyhead[RE]{\footnotesize{\nouppercase{\rightmark~}}}
\fancyhead[LO]{\footnotesize{\greyp{\nouppercase{\leftmark}}}}
\newcommand{\pl}{\vspace{.3cm}}
\newcommand{\rc}[2]{\textbf{#1: } #2\\[4pt]}
\newcommand{\up}[2]{\textbf{--#1: } #2\\[4pt]}
\newcommand{\email}[1]{\texttt{#1}}
\newcommand{\vbt}[1]{\verb+#1+}
\newcommand{\cons}[1]{\vspace{2mm} \noindent \ovalbox {\sffamily #1}
\vspace{2mm}}
\begin{document}
\setcounter{page}{0}
\pagestyle{empty}
\includegraphics[width=353pt]{clam.eps}
\vspace{3cm}
\begin{flushright}
\rule[-1ex]{8cm}{3pt}\\ |
95c22f52 |
\huge Clam AntiVirus 0.91\\ |
8589f1a0 |
\huge \emph{User Manual}\\
\end{flushright}
\newpage
\pagestyle{fancy}
\tableofcontents |
73e034df |
\vspace{1.5cm} |
8589f1a0 |
\noindent
\begin{boxedminipage}[b]{\textwidth} |
73e034df |
ClamAV User Manual, \copyright \ 2002 - 2007 Tomasz Kojm\\ |
8589f1a0 |
This document is distributed under the terms of the GNU General |
73e034df |
Public License v2.\\ |
8589f1a0 |
Clam AntiVirus is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or |
73e034df |
(at your option) any later version.\\ |
8589f1a0 |
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
73e034df |
GNU General Public License for more details.\\ |
8589f1a0 |
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software |
48b7b4a7 |
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
MA 02110-1301, USA. |
8589f1a0 |
\end{boxedminipage}
|
73e034df |
\vspace{0.5cm}
\noindent
\begin{boxedminipage}[b]{\textwidth}
ClamAV and Clam AntiVirus are trademarks of Tomasz Kojm.
\end{boxedminipage}
|
8589f1a0 |
\newpage
\section{Introduction} |
af76dfbd |
Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX,
designed especially for e-mail scanning on mail gateways. It provides
a number of utilities including a flexible and scalable multi-threaded
daemon, a command line scanner and advanced tool for automatic database
updates. The core of the package is an anti-virus engine available in a
form of shared library. |
8589f1a0 |
\subsection{Features}
\begin{itemize}
\item{Licensed under the GNU General Public License, Version 2}
\item{POSIX compliant, portable}
\item{Fast scanning}
\item{Supports on-access scanning (Linux and FreeBSD only)} |
95c22f52 |
\item{Detects over 135.000 viruses, worms and trojans, including |
73e034df |
Microsoft Office macro viruses, mobile malware, and other threats} |
8589f1a0 |
\item{Scans within archives and compressed files (also protects
against archive bombs), built-in support includes: |
73e034df |
\begin{itemize}
\item Zip (including SFX)
\item RAR (including SFX) |
8589f1a0 |
\item Tar
\item Gzip
\item Bzip2
\item MS OLE2 |
73e034df |
\item MS Cabinet Files (including SFX) |
8589f1a0 |
\item MS CHM (Compiled HTML)
\item MS SZDD compression format |
73e034df |
\item BinHex
\item SIS (SymbianOS packages)
\end{itemize}}
\item{Supports Portable Executable (32/64-bit) files compressed or obfuscated with:}
\begin{itemize} |
8589f1a0 |
\item UPX
\item FSG
\item Petite |
73e034df |
\item NsPack
\item wwpack32
\item MEW
\item Upack
\item SUE
\item Y0da Cryptor
\end{itemize}
\item{Supports almost all mail file formats}
\item{Support for other special files/formats includes:}
\begin{itemize}
\item HTML
\item RTF
\item PDF
\item Files encrypted with CryptFF and ScrEnc
\item uuencode
\item TNEF (winmail.dat)
\end{itemize}
\item{Advanced database updater with support for scripted updates,
digital signatures and DNS based database version queries} |
8589f1a0 |
\end{itemize}
|
73e034df |
\subsection{Mailing lists and IRC channel}
If you have a trouble installing or using ClamAV try asking on our mailing |
8589f1a0 |
lists. There are four lists available:
\begin{itemize}
\item \textbf{clamav-announce*lists.clamav.net} - info about new versions,
moderated\footnote{Subscribers are not allowed to post to the mailing
list}.
\item \textbf{clamav-users*lists.clamav.net} - user questions
\item \textbf{clamav-devel*lists.clamav.net} - technical discussions
\item \textbf{clamav-virusdb*lists.clamav.net} - database update announcements, moderated
\end{itemize}
\noindent You can subscribe and search the mailing list archives at: |
73e034df |
\url{http://www.clamav.net/support/ml/}\\
Alternatively you can try asking on the \verb+#clamav+ IRC channel - launch
your favourite irc client and type:
\begin{verbatim}
/server irc.freenode.net
/join #clamav
\end{verbatim} |
8589f1a0 |
\subsection{Virus submitting}
If you have got a virus which is not detected by your ClamAV with the latest |
73e034df |
databases, please submit the sample at our website: |
8589f1a0 |
\begin{center} |
61409916 |
\url{http://www.clamav.net/sendvirus} |
8589f1a0 |
\end{center}
\section{Base package}
\subsection{Supported platforms} |
73e034df |
Most popular UNIX operating systems are supported. Clam AntiVirus 0.90 was
tested on: |
8589f1a0 |
\begin{itemize}
\item{GNU/Linux}
\item{Solaris}
\item{FreeBSD}
\item{OpenBSD} \footnote{Installation from a port is recommended.}
\item{Mac OS X}
\end{itemize}
Some features may not be available on your operating system. If you
are successfully running Clam AntiVirus on a system not listed above
please let us know.
\subsection{Binary packages} |
73e034df |
You can find the up-to-date list of binary packages at our website:
\url{http://www.clamav.net/download/packages/} |
8589f1a0 |
\section{Installation}
\subsection{Requirements}
The following elements are required to compile ClamAV:
\begin{itemize}
\item zlib and zlib-devel packages |
73e034df |
\item gcc compiler suite (tested with 2.9x, 3.x and 4.x series) |
8589f1a0 |
\end{itemize}
The following packages are optional but \textbf{highly recommended}:
\begin{itemize}
\item bzip2 and bzip2-devel library
\item GNU MP 3\\
It's very important to install the GMP package because it allows
\verb+freshclam+ to verify the digital signatures of the virus |
73e034df |
databases and scripted updates. If freshclam was compiled without GMP
support it will display "SECURITY WARNING: NO SUPPORT FOR DIGITAL
SIGNATURES" on every update. You can download GNU MP at
\url{http://www.swox.com/gmp/}\\ |
8589f1a0 |
A note for Solaris/SPARC users: you must set the \emph{ABI} system
variable to 32 (e.g. \verb+setenv ABI 32+) before running the
configuration script of GMP.
\end{itemize}
|
73e034df |
\subsection{Installing on shell account}
To install ClamAV locally on an unprivileged shell account you need not
create any additional users or groups. Assuming your home directory is
\verb+/home/gary+ you should build it as follows: |
8589f1a0 |
\begin{verbatim}
$ ./configure --prefix=/home/gary/clamav --disable-clamav
$ make; make install
\end{verbatim}
To test your installation execute:
\begin{verbatim}
$ ~/clamav/bin/freshclam
$ ~/clamav/bin/clamscan ~
\end{verbatim} |
73e034df |
The \verb+--disable-clamav+ switch disables the check for existence of |
8589f1a0 |
the \emph{clamav} user and group but \verb+clamscan+ would still require an
unprivileged account to work in a superuser mode.
\subsection{Adding new system user and group}
If you are installing ClamAV for the first time, you have to add a new
user and group to your system: \footnote{Cygwin note: If you have not |
73e034df |
/etc/passwd you can skip this point} |
8589f1a0 |
\begin{verbatim}
# groupadd clamav
# useradd -g clamav -s /bin/false -c "Clam AntiVirus" clamav
\end{verbatim}
Consult a system manual if your OS has not \emph{groupadd} and |
73e034df |
\emph{useradd} utilities. \textbf{Don't forget to lock access to the
account!} |
8589f1a0 |
\subsection{Compilation of base package}
Once you have created the clamav user and group, please extract the archive:
\begin{verbatim}
$ zcat clamav-x.yz.tar.gz | tar xvf -
$ cd clamav-x.yz
\end{verbatim}
Assuming you want to install the configuration files in /etc, configure |
73e034df |
and build the software as follows: |
8589f1a0 |
\begin{verbatim}
$ ./configure --sysconfdir=/etc
$ make
$ su -c "make install"
\end{verbatim} |
73e034df |
In the last step the software is installed into the /usr/local directory
and the config files into /etc. \textbf{WARNING: Never enable the SUID
or SGID bits for Clam AntiVirus binaries.} |
8589f1a0 |
\subsection{Compilation with clamav-milter enabled}
libmilter and its development files are required. To enable clamav-milter,
configure ClamAV with
\begin{verbatim}
$ ./configure --enable-milter
\end{verbatim}
\section{Configuration}
\subsection{clamd} |
73e034df |
Before you start using the daemon you have to edit the configuration file |
8589f1a0 |
(in other case \verb+clamd+ won't run):
\begin{verbatim}
$ clamd
ERROR: Please edit the example config file /etc/clamd.conf.
\end{verbatim}
This shows the location of the default configuration file. The format and
options of this file are fully described in the \emph{clamd.conf(5)}
manual. The config file is well commented and configuration should be
straightforward.
\subsubsection{On-access scanning} |
73e034df |
One of the interesting features of \verb+clamd+ is on-access scanning
based on the Dazuko module, available from \url{http://dazuko.org/}.
\textbf{This module is not required to run clamd - furthermore, you
shouldn't run Dazuko on production systems}. At the moment Dazuko is
avaliable for Linux and FreeBSD, but the following information only covers
Linux. |
8589f1a0 |
\begin{verbatim}
$ tar zxpvf dazuko-a.b.c.tar.gz
$ cd dazuko-a.b.c
$ make dazuko
or
$ make dazuko-smp (for smp kernels)
$ su
# insmod dazuko.o
# cp dazuko.o /lib/modules/`uname -r`/misc
# depmod -a
\end{verbatim} |
73e034df |
Depending on your Linux distribution you may need to add a "dazuko" entry to |
8589f1a0 |
\emph{/etc/modules} or run the module during system's startup by adding
\begin{verbatim} |
73e034df |
/sbin/modprobe dazuko |
8589f1a0 |
\end{verbatim}
to some startup file. You must also create a new device:
\begin{verbatim}
$ cat /proc/devices | grep dazuko
254 dazuko
$ su -c "mknod -m 600 /dev/dazuko c 254 0"
\end{verbatim}
Now configure Clamuko in \verb+clamd.conf+ and read the \ref{clamuko}
section.
\subsection{clamav-milter} |
73e034df |
Nigel Horne's \verb+clamav-milter+ is a very efficient email scanner
designed for Sendmail. It's written entirely in C and only depends on
\verb+libclamav+ or \verb+clamd+. You can find detailed installation
instructions in the \verb+INSTALL+ file that comes with the clamav-milter
sources. Basically, to connect it with Sendmail add the following lines to |
8589f1a0 |
\verb+/etc/mail/sendmail.mc+:
\begin{verbatim} |
48b7b4a7 |
INPUT_MAIL_FILTER(`clmilter',`S=local:/var/run/clamav/clmilter.sock, |
8589f1a0 |
F=, T=S:4m;R:4m')dnl
define(`confINPUT_MAIL_FILTERS', `clmilter')
\end{verbatim}
If you're running it in \verb+--external+ mode, check entry in
\verb+clamd.conf+ of the form:
\begin{verbatim} |
48b7b4a7 |
LocalSocket /var/run/clamav/clamd.sock |
8589f1a0 |
\end{verbatim}
Start clamav-milter
\begin{verbatim} |
48b7b4a7 |
/usr/local/sbin/clamav-milter -lo /var/run/clamav/clmilter.sock |
8589f1a0 |
\end{verbatim}
and restart sendmail.
\subsection{Testing}
Try to scan recursively the source directory:
\begin{verbatim}
$ clamscan -r -l scan.txt clamav-x.yz
\end{verbatim}
It should find some test files in the clamav-x.yz/test directory.
The scan result will be saved in the \verb+scan.txt+ log file |
73e034df |
\footnote{To get more info on clamscan options run 'man clamscan'}.
To test \verb+clamd+, start it and use \verb+clamdscan+ (or instead connect
directly to its socket and run the SCAN command): |
8589f1a0 |
\begin{verbatim}
$ clamdscan -l scan.txt clamav-x.yz
\end{verbatim}
Please note that the scanned files must be accessible by the user running |
73e034df |
\verb+clamd+ or you will get an error. |
8589f1a0 |
\subsection{Setting up auto-updating} |
73e034df |
\verb+freshclam+ is the automatic database update tool for Clam AntiVirus. |
8589f1a0 |
It can work in two modes:
\begin{itemize} |
73e034df |
\item interactive - on demand from command line
\item daemon - silently in the background |
8589f1a0 |
\end{itemize} |
73e034df |
\verb+freshclam+ is advanced tool: it supports scripted updates (instead
of transferring the whole CVD file at each update it only transfers the
differences between the latest and the current database via a special
script), database version checks through DNS, proxy servers (with |
8589f1a0 |
authentication), digital signatures and various error scenarios.
\textbf{Quick test: run freshclam (as superuser) with no parameters
and check the output.} If everything is OK you may create the log file in
/var/log (owned by \emph{clamav} or another user \verb+freshclam+ will be |
73e034df |
running as): |
8589f1a0 |
\begin{verbatim} |
5638b256 |
# touch /var/log/freshclam.log
# chmod 600 /var/log/freshclam.log
# chown clamav /var/log/freshclam.log |
8589f1a0 |
\end{verbatim} |
73e034df |
Now you \emph{should} edit the configuration file \verb+freshclam.conf+
and point the \emph{UpdateLogFile} directive to the log file. Finally, to
run \verb+freshclam+ in the daemon mode, execute: |
8589f1a0 |
\begin{verbatim}
# freshclam -d
\end{verbatim} |
73e034df |
The other way is to use the \emph{cron} daemon. You have to add the
following line to the crontab of \textbf{root} or \textbf{clamav} user: |
8589f1a0 |
{\small
\begin{verbatim}
N * * * * /usr/local/bin/freshclam --quiet
\end{verbatim}}
\noindent to check for a new database every hour. \textbf{N should be a
number between 3 and 57 of your choice. Please don't choose any multiple
of 10, because there are already too many clients using those time slots.}
Proxy settings are only configurable via the configuration file and |
73e034df |
\verb+freshclam+ will require strict permission settings for the config
file when \verb+HTTPProxyPassword+ is turned on. |
8589f1a0 |
\begin{verbatim}
HTTPProxyServer myproxyserver.com
HTTPProxyPort 1234
HTTPProxyUsername myusername
HTTPProxyPassword mypass
\end{verbatim}
|
73e034df |
\subsubsection{Closest mirrors} |
8589f1a0 |
The \verb+DatabaseMirror+ directive in the config file specifies the
database server \verb+freshclam+ will attempt (up to \verb+MaxAttempts+
times) to download the database from. The default database mirror
is \url{database.clamav.net} but multiple directives are allowed.
In order to download the database from the closest mirror you should
configure \verb+freshclam+ to use \url{db.xx.clamav.net} where xx
represents your country code. For example, if your server is in "Ascension |
73e034df |
Island" you should have the following lines included in \verb+freshclam.conf+: |
8589f1a0 |
\begin{verbatim}
DNSDatabaseInfo current.cvd.clamav.net
DatabaseMirror db.ac.clamav.net
DatabaseMirror database.clamav.net
\end{verbatim} |
73e034df |
The second entry acts as a fallback in case the connection to the first |
8589f1a0 |
mirror fails for some reason. The full list of two-letters country codes
is available at \url{http://www.iana.org/cctld/cctld-whois.htm}
\section{Usage}
\subsection{Clam daemon}\label{clamd}
\verb+clamd+ is a multi-threaded daemon that uses \emph{libclamav} |
73e034df |
to scan files for viruses. It may work in one or both modes listening on: |
8589f1a0 |
\begin{itemize}
\item Unix (local) socket
\item TCP socket
\end{itemize}
The daemon is fully configurable via the \verb+clamd.conf+ file
\footnote{man 5 clamd.conf}. \verb+clamd+ recognizes the following commands:
\begin{itemize}
\item \textbf{PING}\\ |
73e034df |
Check the daemon's state (should reply with "PONG"). |
8589f1a0 |
\item \textbf{VERSION}\\
Print program and database versions.
\item \textbf{RELOAD}\\ |
73e034df |
Reload the databases. |
8589f1a0 |
\item \textbf{SHUTDOWN}\\
Perform a clean exit. |
73e034df |
\item \textbf{SCAN file/directory}\\ |
8589f1a0 |
Scan file or directory (recursively) with archive support
enabled (a full path is required). |
73e034df |
\item \textbf{RAWSCAN file/directory}\\
Scan file or directory (recursively) with archive and special file
support disabled (a full path is required).
\item \textbf{CONTSCAN file/directory}\\ |
8589f1a0 |
Scan file or directory (recursively) with archive support |
73e034df |
enabled and don't stop the scanning when a virus is found.
\item \textbf{MULTISCAN file/directory}\\
Scan file in a standard way or scan directory (recursively) using
multiple threads (to make the scanning faster on SMP machines).
\item \textbf{STREAM}\\ |
8589f1a0 |
Scan stream: \verb+clamd+ will return a new port number you should
connect to and send data to scan. |
73e034df |
\item \textbf{SESSION, END}\\ |
8589f1a0 |
Start/end a \verb+clamd+ session - you can do multiple commands
per TCP session (WARNING: due to the \verb+clamd+ implementation the
\textbf{RELOAD} command will break the session).
\end{itemize} |
73e034df |
and reacts on the special signals: |
8589f1a0 |
\begin{itemize}
\item \textbf{SIGTERM} - perform a clean exit |
73e034df |
\item \textbf{SIGHUP} - reopen the log file |
8589f1a0 |
\item \textbf{SIGUSR2} - reload the database
\end{itemize}
\subsection{Clam\textbf{d}scan}
\verb+clamdscan+ is a simple \verb+clamd+ client. In many cases you can |
73e034df |
use it as a \verb+clamscan+ replacement however you must remember that: |
8589f1a0 |
\begin{itemize}
\item it only depends on \verb+clamd+
\item although it accepts the same command line options as
\verb+clamscan+ most of them are ignored because they must be
enabled directly in \verb+clamd+, i.e. \verb+clamd.conf+
\item scanned files must be accessible for \verb+clamd+
\item it can't use external unpackers
\end{itemize}
\subsection{Clamuko}\label{clamuko}
Clamuko is a special thread in \verb+clamd+ that performs on-access
scanning under Linux and FreeBSD and shares internal virus database
with the daemon. \textbf{You must follow some important rules when
using it:}
\begin{itemize}
\item Always stop the daemon cleanly - using the SHUTDOWN command or |
73e034df |
the\\ SIGTERM signal. In other case you can lose access |
8589f1a0 |
to protected files until the system is restarted. |
73e034df |
\item Never protect the directory your mail-scanner software |
8589f1a0 |
uses for attachment unpacking. Access to all infected |
73e034df |
files will be automatically blocked and the scanner (including
\verb+clamd+!) will not be able to detect any viruses. In the
result \textbf{all infected mails may be delivered.} |
8589f1a0 |
\end{itemize} |
73e034df |
For example, to protect the whole system add the following lines to |
8589f1a0 |
\verb+clamd.conf+:
\begin{verbatim}
ClamukoScanOnAccess
ClamukoIncludePath /
ClamukoExcludePath /proc
ClamukoExcludePath /temporary/dir/of/your/mail/scanning/software
\end{verbatim} |
73e034df |
You can also use clamuko to protect files on Samba/Netatalk but a far
more better and safe idea is to use the \textbf{samba-vscan} module.
NFS is not supported because Dazuko doesn't intercept NFS access calls. |
8589f1a0 |
\subsection{Output format}
\subsubsection{clamscan} |
73e034df |
\verb+clamscan+ writes all regular program messages to \textbf{stdout} and
errors/warnings to \textbf{stderr}. You can use the option \verb+--stdout+
to redirect all program messages to \textbf{stdout}. Warnings and error
messages from \verb+libclamav+ are always printed to \textbf{stderr}.
A typical output from \verb+clamscan+ looks like this: |
8589f1a0 |
\begin{verbatim}
/tmp/test/removal-tool.exe: Worm.Sober FOUND
/tmp/test/md5.o: OK
/tmp/test/blob.c: OK
/tmp/test/message.c: OK
/tmp/test/error.hta: VBS.Inor.D FOUND
\end{verbatim}
When a virus is found its name is printed between the \verb+filename:+ and
\verb+FOUND+ strings. In case of archives the scanner depends on libclamav
and only prints the first virus found within an archive:
\begin{verbatim}
zolw@localhost:/tmp$ clamscan malware.zip
malware.zip: Worm.Mydoom.U FOUND
\end{verbatim}
\emph{\textbf{TIP:} You can force clamscan to list all infected |
73e034df |
files in an archive using --no-archive (this option disables
transparent decompressors built into libclamav) and enabling external
decompressors: --unzip --unrar...}.\\[4pt] |
8589f1a0 |
\begin{verbatim}
zolw@localhost:/tmp$ clamscan --no-archive --unzip malware.zip
Archive: /tmp/malware.zip
inflating: test1.exe
inflating: test2.exe
inflating: test3.exe
/tmp/clamav-77e7bfdbb2d3872b/test1.exe: Worm.Mydoom.U FOUND
/tmp/clamav-77e7bfdbb2d3872b/test2.exe: Trojan.Taskkill.A FOUND
/tmp/clamav-77e7bfdbb2d3872b/test3.exe: Worm.Nyxem.D FOUND |
5638b256 |
/tmp/malware.zip: Infected.Archive FOUND |
8589f1a0 |
\end{verbatim}
\subsubsection{clamd} |
73e034df |
The output format of \verb+clamd+ is very similar to \verb+clamscan+. |
8589f1a0 |
\begin{verbatim}
zolw@localhost:~$ telnet localhost 3310
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
SCAN /home/zolw/test
/home/zolw/test/clam.exe: ClamAV-Test-File FOUND
Connection closed by foreign host.
\end{verbatim}
In the \textbf{SCAN} mode it closes the connection when the first virus
is found.
\begin{verbatim}
SCAN /home/zolw/test/clam.zip
/home/zolw/test/clam.zip: ClamAV-Test-File FOUND
\end{verbatim} |
73e034df |
\textbf{CONTSCAN} and \textbf{MULTISCAN} don't stop scanning in case
a virus is found.\\ |
8589f1a0 |
Error messages are printed in the following format:
\begin{verbatim}
SCAN /no/such/file
/no/such/file: Can't stat() the file. ERROR
\end{verbatim}
\section{LibClamAV} |
73e034df |
Libclamav provides an easy and effective way to add a virus protection into
your software. The library is thread-safe and transparently recognizes and |
8589f1a0 |
scans within archives, mail files, MS Office document files, executables |
73e034df |
and other special formats. |
8589f1a0 |
\subsection{Licence} |
73e034df |
Libclamav is licensed under the GNU GPL v2 licence. This means you are |
8589f1a0 |
\textbf{not allowed} to link commercial, close-source applications
against it\footnote{You can still use clamd or clamscan instead}.
All software using libclamav must be GPL compliant.
|
73e034df |
\subsection{Supported formats}
\subsubsection{Executables}
The library has a built-in support for 32/64-bit Portable Executable files
and 32-bit ELF files. Additionally, it can handle PE files compressed or
obfuscated with the following tools:
\begin{itemize}
\item UPX (all versions)
\item FSG (1.3, 1.31, 1.33, 2.0)
\item Petite (2.x)
\item NsPack
\item wwpack32 (1.20)
\item MEW
\item Upack
\item SUE
\item Y0da Cryptor (1.3)
\end{itemize}
\subsubsection{Mail files}
Libclamav can handle almost every mail file format including TNEF
(winmail.dat) attachments. |
8589f1a0 |
\subsubsection{Archives and compressed files} |
73e034df |
The following archive and compression formats are supported by internal
handlers: |
8589f1a0 |
\begin{itemize} |
73e034df |
\item Zip (+ SFX)
\item RAR (+ SFX) |
8589f1a0 |
\item Tar
\item Gzip
\item Bzip2
\item MS OLE2 |
73e034df |
\item MS Cabinet Files (+ SFX) |
8589f1a0 |
\item MS CHM (Compiled HTML)
\item MS SZDD compression format |
73e034df |
\item BinHex
\item SIS (SymbianOS packages) |
8589f1a0 |
\end{itemize}
|
73e034df |
\subsubsection{Documents}
The most popular file formats are supported:
\begin{itemize}
\item MS Office and MacOffice files
\item RTF
\item PDF
\item HTML
\end{itemize} |
8589f1a0 |
|
73e034df |
\subsubsection{Others}
Libclamav can handle various obfuscators, encoders, files vulnerable to
security risks such as:
\begin{itemize}
\item JPEG (exploit detection)
\item RIFF (exploit detection)
\item uuencode
\item ScrEnc obfuscation
\item CryptFF
\end{itemize} |
8589f1a0 |
\subsection{API}
\subsubsection{Header file} |
73e034df |
Every program using libclamav must include the header file \verb+clamav.h+: |
8589f1a0 |
\begin{verbatim}
#include <clamav.h>
\end{verbatim}
\subsubsection{Database loading} |
73e034df |
The following set of functions provides an interface for loading
the virus database: |
8589f1a0 |
\begin{verbatim}
const char *cl_retdbdir(void); |
73e034df |
int cl_load(const char *path, struct cl_engine **engine,
unsigned int *signo, unsigned int options); |
8589f1a0 |
\end{verbatim} |
73e034df |
\verb+cl_retdbdir+ returns the default (hardcoded) path to the directory
with ClamAV databases.
\verb+cl_load+ loads a single database file or all databases from a
directory (if \verb+path+ points to a directory). The second argument
is used for passing in the engine structure which should be previously
initialized with NULL. A number of loaded signatures will be \textbf{added}
to \verb+signo+ \footnote{Remember to initialize the virus counter
variable with 0.}. The last argument can pass the following flags:
\begin{itemize}
\item \textbf{CL\_DB\_STDOPT}\\
This is an alias for a recommended set of scan options.
\item \textbf{CL\_DB\_PHISHING}\\
Load phishing signatures.
\item \textbf{CL\_DB\_PHISHING\_URLS}\\
Initialize the phishing detection module and load .wdb and .pdb files.
\end{itemize}
\verb+cl_load+ returns 0 (\verb+CL_SUCCESS+) on success and a non-negative |
8589f1a0 |
value on failure.
\begin{verbatim}
... |
73e034df |
struct cl_engine *engine = NULL;
unsigned int sigs = 0;
int ret; |
8589f1a0 |
|
73e034df |
ret = cl_load(cl_retdbdir(), &engine, &sigs, CL_DB_STDOPT); |
8589f1a0 |
\end{verbatim}
\subsubsection{Error handling}
Use \verb+cl_strerror+ to convert error codes into human readable messages.
The function returns a statically allocated string:
\begin{verbatim}
if(ret) { |
73e034df |
printf("cl_load() error: %s\n", cl_strerror(ret)); |
8589f1a0 |
exit(1);
}
\end{verbatim}
|
73e034df |
\subsubsection{Engine structure}
When all required databases are loaded you should prepare the detection
engine by calling \verb+cl_build+. In the case of failure you should
free the memory occupied by the engine with \verb+cl_free+: |
8589f1a0 |
\begin{verbatim} |
73e034df |
int cl_build(struct cl_engine *engine);
void cl_free(struct cl_engine *engine); |
8589f1a0 |
\end{verbatim}
In our example:
\begin{verbatim} |
73e034df |
if((ret = cl_build(engine))) { |
8589f1a0 |
printf("cl_build() error: %s\n", cl_strerror(ret)); |
73e034df |
cl_free(engine);
exit(1);
} |
8589f1a0 |
\end{verbatim}
\subsection{Database reloading}
The most important thing is to keep the internal instance of the database
up to date. You can watch database changes with the \verb+cl_stat+ |
73e034df |
family of functions. |
8589f1a0 |
\begin{verbatim}
int cl_statinidir(const char *dirname, struct cl_stat *dbstat);
int cl_statchkdir(const struct cl_stat *dbstat);
int cl_statfree(struct cl_stat *dbstat);
\end{verbatim}
Initialization:
\begin{verbatim}
...
struct cl_stat dbstat;
memset(&dbstat, 0, sizeof(struct cl_stat));
cl_statinidir(dbdir, &dbstat);
\end{verbatim} |
73e034df |
To check for a change you just need to call \verb+cl_statchkdir+ and check
its return value: |
8589f1a0 |
\begin{verbatim}
if(cl_statchkdir(&dbstat) == 1) {
reload_database...;
cl_statfree(&dbstat);
cl_statinidir(cl_retdbdir(), &dbstat);
}
\end{verbatim} |
73e034df |
Remember to reset the \verb+cl_stat+ structure after reload. |
8589f1a0 |
\subsubsection{Data scan functions} |
73e034df |
It's possible to scan a file or descriptor using: |
8589f1a0 |
\begin{verbatim} |
73e034df |
int cl_scanfile(const char *filename, const char **virname,
unsigned long int *scanned, const struct cl_engine *engine,
const struct cl_limits *limits, unsigned int options); |
8589f1a0 |
int cl_scandesc(int desc, const char **virname, unsigned |
73e034df |
long int *scanned, const struct cl_engine *engine, const |
8589f1a0 |
struct cl_limits *limits, unsigned int options);
\end{verbatim} |
73e034df |
Both functions will save a virus name under the pointer \verb+virname+,
the virus name is part of the engine structure and must not be released
directly. If the third argument (\verb+scanned+) is not NULL, the
functions will increase its value with the size of scanned data (in
\verb+CL_COUNT_PRECISION+ units). Both functions have support for archive
limits in order to protect against Denial of Service attacks. |
8589f1a0 |
\begin{verbatim} |
73e034df |
struct cl_limits {
unsigned int maxreclevel; /* maximum recursion level for archives */
unsigned int maxfiles; /* maximum number of files to be scanned
* within a single archive
*/
unsigned int maxmailrec; /* maximum recursion level for mail files */
unsigned int maxratio; /* maximum compression ratio */
unsigned long int maxfilesize;/* compressed files larger than this limit
* will not be scanned
*/
unsigned short archivememlim; /* limit memory usage for some unpackers */
}; |
8589f1a0 |
\end{verbatim} |
73e034df |
The last argument (\verb+options+) configures the scan engine and supports
the following flags (that can be combined using bit operators): |
8589f1a0 |
\begin{itemize}
\item \textbf{CL\_SCAN\_STDOPT}\\
This is an alias for a recommended set of scan options. You
should use it to make your software ready for new features |
73e034df |
in the future versions of libclamav. |
8589f1a0 |
\item \textbf{CL\_SCAN\_RAW}\\ |
73e034df |
Use it alone if you want to disable support for special files. |
8589f1a0 |
\item \textbf{CL\_SCAN\_ARCHIVE}\\
This flag enables transparent scanning of various archive formats.
\item \textbf{CL\_SCAN\_BLOCKENCRYPTED}\\ |
73e034df |
With this flag the library will mark encrypted archives as viruses |
8589f1a0 |
(Encrypted.Zip, Encrypted.RAR).
\item \textbf{CL\_SCAN\_BLOCKMAX}\\
Mark archives as viruses if \verb+maxfiles+, \verb+maxfilesize+,
or \verb+maxreclevel+ limit is reached.
\item \textbf{CL\_SCAN\_MAIL}\\ |
73e034df |
Enable support for mail files. |
8589f1a0 |
\item \textbf{CL\_SCAN\_MAILURL}\\
The mail scanner will download and scan URLs listed in a mail
body. This flag should not be used on loaded servers. Due to
potential problems please do not enable it by default but make
it optional.
\item \textbf{CL\_SCAN\_OLE2}\\ |
73e034df |
Enables support for OLE2 containers (used by MS Office and .msi
files). |
c5107e70 |
\item \textbf{CL\_SCAN\_PDF}\\
Enables scanning within PDF files. |
8589f1a0 |
\item \textbf{CL\_SCAN\_PE}\\ |
73e034df |
This flag enables deep scanning of Portable Executable files and
allows libclamav to unpack executables compressed with run-time
unpackers.
\item \textbf{CL\_SCAN\_ELF}\\
Enable support for ELF files. |
8589f1a0 |
\item \textbf{CL\_SCAN\_BLOCKBROKEN}\\
libclamav will try to detect broken executables and mark them as
Broken.Executable.
\item \textbf{CL\_SCAN\_HTML}\\ |
73e034df |
This flag enables HTML normalisation (including ScrEnc |
8589f1a0 |
decryption). |
73e034df |
\item \textbf{CL\_SCAN\_ALGORITHMIC}\\
Enable algorithmic detection of viruses.
\item \textbf{CL\_SCAN\_PHISHING\_DOMAINLIST}\\
Phishing module: restrict URL scanning to domains from .pdf
(RECOMMENDED).
\item \textbf{CL\_SCAN\_PHISHING\_BLOCKSSL}\\
Phishing module: always block SSL mismatches in URLs.
\item \textbf{CL\_SCAN\_PHISHING\_BLOCKCLOAK}\\
Phishing module: always block cloaked URLs. |
8589f1a0 |
\end{itemize} |
73e034df |
All functions return 0 (\verb+CL_CLEAN+) when the file seems clean,
\verb+CL_VIRUS+ when a virus is detected and another value on failure. |
8589f1a0 |
\begin{verbatim}
...
struct cl_limits limits;
const char *virname;
memset(&limits, 0, sizeof(struct cl_limits)); |
73e034df |
limits.maxfiles = 1000; /* max files */
limits.maxfilesize = 10 * 1048576; /* maximum size of archived or
* compressed file (files exceeding
* this limit will be ignored)
*/
limits.maxreclevel = 5; /* maximum recursion level for archives */
limits.maxmailrec = 64; /* maximum recursion level for mail files */
limits.maxratio = 200; /* maximum compression ratio */
if((ret = cl_scanfile("/tmp/test.exe", &virname, NULL, engine, |
8589f1a0 |
&limits, CL_STDOPT)) == CL_VIRUS) { |
73e034df |
printf("Virus detected: %s\n", virname); |
8589f1a0 |
} else {
printf("No virus detected.\n");
if(ret != CL_CLEAN)
printf("Error: %s\n", cl_strerror(ret));
}
\end{verbatim}
\subsubsection{Memory} |
73e034df |
Because the engine structure consumes a few megabytes of system memory, you
should release it with \verb+cl_free+ if you no longer need to scan files. |
8589f1a0 |
\subsubsection{clamav-config} |
73e034df |
Use \verb+clamav-config+ to check compilation information for libclamav. |
8589f1a0 |
\begin{verbatim}
zolw@localhost:~$ clamav-config --libs
-L/usr/local/lib -lz -lbz2 -lgmp -lpthread
zolw@localhost:~$ clamav-config --cflags
-I/usr/local/include -g -O2
\end{verbatim}
\subsubsection{Example}
You will find an example scanner application in the clamav sources |
73e034df |
(/example). Don't forget that all programs based on libclamav must be
linked against it: |
8589f1a0 |
\begin{verbatim}
gcc -Wall ex1.c -o ex1 -lclamav
\end{verbatim}
\subsection{CVD format} |
73e034df |
CVD (ClamAV Virus Database) is a digitally signed tarball containing
one or more databases. The header is a 512-bytes long string with colon
separated fields: |
8589f1a0 |
\begin{verbatim}
ClamAV-VDB:build time:version:number of signatures:functionality
level required:MD5 checksum:digital signature:builder name:build time (sec)
\end{verbatim}
\verb+sigtool --info+ displays detailed information on CVD files:
\begin{verbatim} |
73e034df |
zolw@localhost:/usr/local/share/clamav$ sigtool -i daily.cvd
Build time: 11 Feb 2007 19-28 +0000
Version: 2553
# of signatures: 6063
Functionality level: 9
Builder: ccordes |
0518e6c1 |
MD5: 7f337b409249e11dea3effb04dd352f2 |
73e034df |
Digital signature: 6Ybd2eeDHBAs8raaEwmayqzoa5ysGDNnQ5Cc89mS2VCm1jRXZP
ke/itmkTyYQTc/rgJc2uQPr+NvzvUxRpsniwoyZ/gIkPniCLnqVCYOOytwtmirivbrV8j
0kzxb9nHd+5UQqj/Z3rLbS7T5HCbRX3uE0JX1tAo642Gq9ACH9Fc
Verification OK. |
8589f1a0 |
\end{verbatim}
\subsection{Contributors}
The following people contributed to our project in some way (providing
patches, bug reports, technical support, documentation, good ideas...):
\begin{itemize} |
73e034df |
\item Ian Abbott \email{<abbotti*mev.co.uk>} |
48b7b4a7 |
\item Clint Adams \email{<schizo*debian.org>} |
8589f1a0 |
\item Sergey Y. Afonin \email{<asy*kraft-s.ru>}
\item Robert Allerstorfer \email{<roal*anet.at>}
\item Claudio Alonso \email{<cfalonso*yahoo.com>} |
ef1f6e71 |
\item Kevin Amorin \email{<kamorin*ccs.neu.edu>} |
8589f1a0 |
\item Kamil Andrusz \email{<wizz*mniam.net>} |
48b7b4a7 |
\item Tayfun Asker \email{<tasker*metu.edu.tr>} |
8589f1a0 |
\item Jean-Edouard Babin \email{<Jeb*jeb.com.fr>}
\item Marc Baudoin \email{<babafou*babafou.eu.org>}
\item Scott Beck \email{<sbeck*gossamer-threads.com>}
\item Rolf Eike Beer \email{<eike*mail.math.uni-mannheim.de>}
\item Rene Bellora \email{<rbellora*tecnoaccion.com.ar>}
\item Carlo Marcelo Arenas Belon \email{<carenas*sajinet.com.pe>} |
48b7b4a7 |
\item Joseph Benden \email{<joe*thrallingpenguin.com>} |
8589f1a0 |
\item Hilko Bengen \email{<bengen*vdst-ka.inka.de>} |
04dc9952 |
\item Hank Beatty \email{<hbeatty*starband.net>} |
ef1f6e71 |
\item Alexandre Biancalana \email{<ale*seudns.net>} |
8589f1a0 |
\item Patrick Bihan-Faou \email{<patrick*mindstep.com>}
\item Martin Blapp \email{<mb*imp.ch>}
\item Dale Blount \email{<dale*velocity.net>} |
48b7b4a7 |
\item Serge van den Boom \email{<svdb*stack.nl>} |
8589f1a0 |
\item Oliver Brandmueller \email{<ob*e-Gitt.NET>}
\item Boguslaw Brandys \email{<brandys*o2.pl>}
\item Igor Brezac \email{<igor*ipass.net>}
\item Mike Brudenell \email{<pmb1*york.ac.uk>}
\item Brian Bruns \email{<bruns*2mbit.com>}
\item Len Budney \email{<lbudney*pobox.com>}
\item Matt Butt \email{<mattb*cre8tiv.com>}
\item Christopher X. Candreva \email{<chris*westnet.com>}
\item Eric I. Lopez Carreon \email{<elopezc*technitrade.com>}
\item Ales Casar \email{<casar*uni-mb.si>} |
73e034df |
\item Jonathan Chen \email{<jon+clamav*spock.org>} |
8589f1a0 |
\item Andrey Cherezov \email{<andrey*cherezov.koenig.su>}
\item Alex Cherney \email{<alex*cher.id.au>}
\item Tom G. Christensen \email{<tgc*statsbiblioteket.dk>}
\item Nicholas Chua \email{<nicholas*ncmbox.net>}
\item Chris Conn \email{<cconn*abacom.com>}
\item Christoph Cordes \email{<ib*precompiled.de>}
\item Ole Craig \email{<olc*cs.umass.edu>}
\item Eugene Crosser \email{<crosser*rol.ru>} |
5638b256 |
\item Calin A. Culianu \email{<calin*ajvar.org>} |
8589f1a0 |
\item Damien Curtain \email{<damien*pagefault.org>}
\item Krisztian Czako \email{<slapic*linux.co.hu>}
\item Diego d'Ambra \email{<da*softcom.dk>}
\item Michael Dankov \email{<misha*btrc.ru>}
\item Yuri Dario \email{<mc6530*mclink.it>}
\item David \email{<djgardner*users.sourceforge.net>}
\item Maxim Dounin \email{<mdounin*rambler-co.ru>}
\item Alejandro Dubrovsky \email{<s328940*student.uq.edu.au>} |
04dc9952 |
\item James P. Dugal \email{<jpd*louisiana.edu>} |
8589f1a0 |
\item Magnus Ekdahl \email{<magnus*debian.org>}
\item Mehmet Ekiz \email{<ekizm*tbmm.gov.tr>}
\item Jens Elkner \email{<elkner*linofee.org>}
\item Fred van Engen \email{<fred*wooha.org>}
\item Jason Englander \email{<jason*englanders.cc>}
\item Oden Eriksson \email{<oeriksson*mandrakesoft.com>} |
48b7b4a7 |
\item Daniel Fahlgren \email{<fahlgren*ardendo.se>} |
8589f1a0 |
\item Andy Fiddaman \email{<af*jeamland.org>}
\item Edison Figueira Junior \email{<edison*brc.com.br>}
\item David Ford \email{<david+cert*blue-labs.org>}
\item Martin Forssen \email{<maf*appgate.com>}
\item Brian J. France \email{<list*firehawksystems.com>}
\item Free Oscar \email{<freeoscar*wp.pl>}
\item Martin Fuxa \email{<yeti*email.cz>}
\item Piotr Gackiewicz \email{<gacek*intertele.pl>}
\item Jeremy Garcia \email{<jeremy*linuxquestions.org>}
\item Dean Gaudet \email{<dean-clamav*arctic.org>}
\item Michel Gaudet \email{<Michel.Gaudet*ehess.fr>}
\item Philippe Gay \email{<ph.gay*free.fr>}
\item Nick Gazaloff \email{<nick*sbin.org>}
\item Geoff Gibbs \email{<ggibbs*hgmp.mrc.ac.uk>}
\item Luca 'NERvOus' Gibelli \email{<nervous*nervous.it>}
\item Scott Gifford \email{<sgifford*suspectclass.com>}
\item Wieslaw Glod \email{<wkg*x2.pl>}
\item Stephen Gran \email{<steve*lobefin.net>} |
5638b256 |
\item Koryn Grant \email{<koryn*endace.com>} |
8589f1a0 |
\item Matthew A. Grant \email{<grantma*anathoth.gen.nz>}
\item Christophe Grenier \email{<grenier*cgsecurity.org>}
\item Marek Gutkowski \email{<hobbit*core.segfault.pl>}
\item Jason Haar \email{<Jason.Haar*trimble.co.nz>}
\item Hrvoje Habjanic \email{<hrvoje.habjanic*zg.hinet.hr>}
\item Michal Hajduczenia \email{<michalis*mat.uni.torun.pl>}
\item Jean-Christophe Heger \email{<jcheger*acytec.com>} |
04dc9952 |
\item Martin Heinz \email{<Martin*hemag.ch>} |
ef1f6e71 |
\item Kevin Heneveld" \email{<kevin*northstar.k12.ak.us>} |
8589f1a0 |
\item Anders Herbjornsen \email{<andersh*gar.no>}
\item Paul Hoadley \email{<paulh*logixsquad.net>}
\item Robert Hogan \email{<robert*roberthogan.net>}
\item Przemyslaw Holowczyc \email{<doozer*skc.com.pl>}
\item Thomas W. Holt Jr. \email{<twh*cohesive.net>}
\item James F. Hranicky \email{<jfh*cise.ufl.edu>}
\item Douglas J Hunley \email{<doug*hunley.homeip.net>}
\item Kurt Huwig \email{<kurt*iku-netz.de>}
\item Andy Igoshin \email{<ai*vsu.ru>} |
04dc9952 |
\item Michal Jaegermann \email{<michal*harddata.com>} |
73e034df |
\item Christophe Jaillet \email{<christophe.jaillet*wanadoo.fr>} |
8589f1a0 |
\item Jay \email{<sysop-clamav*coronastreet.net>}
\item Stephane Jeannenot \email{<stephane.jeannenot*wanadoo.fr>} |
5638b256 |
\item Per Jessen \email{<per*computer.org>} |
8589f1a0 |
\item Dave Jones \email{<dave*kalkbay.co.za>}
\item Jesper Juhl \email{<juhl*dif.dk>} |
48b7b4a7 |
\item Kamil Kaczkowski \email{<kamil*kamil.eisp.pl>} |
8589f1a0 |
\item Alex Kah \email{<alex*narfonix.com>}
\item Stefan Kaltenbrunner \email{<stefan*kaltenbrunner.cc>}
\item Lloyd Kamara \email{<l.kamara*imperial.ac.uk>} |
48b7b4a7 |
\item Stefan Kanthak \email{<stefan.kanthak*fujitsu-siemens.com>} |
8589f1a0 |
\item Kazuhiko \email{<kazuhiko*fdiary.net>} |
04dc9952 |
\item Jeremy Kitchen \email{<kitchen*scriptkitchen.com>} |
8589f1a0 |
\item Tomasz Klim \email{<tomek*euroneto.pl>}
\item Robbert Kouprie \email{<robbert*exx.nl>}
\item Martin Kraft \email{<martin.kraft*fal.de>}
\item Petr Kristof \email{<Kristof.P*fce.vutbr.cz>}
\item Henk Kuipers \email{<henk*opensourcesolutions.nl>}
\item Nigel Kukard \email{<nkukard*lbsd.net>} |
5638b256 |
\item Eugene Kurmanin \email{<smfs*users.sourceforge.net>} |
8589f1a0 |
\item Dr Andrzej Kurpiel \email{<akurpiel*mat.uni.torun.pl>}
\item Mark Kushinsky \email{<mark*mdspc.com>}
\item Mike Lambert \email{<lambert*jeol.com>}
\item Thomas Lamy \email{<Thomas.Lamy*in-online.net>} |
48b7b4a7 |
\item Stephane Leclerc \email{<sleclerc*aliastec.net>} |
8589f1a0 |
\item Marty Lee \email{<marty*maui.co.uk>}
\item Dennis Leeuw \email{<dleeuw*made-it.com>}
\item Martin Lesser \email{<admin-debian*bettercom.de>}
\item Peter N Lewis \email{<peter*stairways.com.au>}
\item Matt Leyda \email{<mfleyda*e-one.com>}
\item James Lick \email{<jlick*drivel.com>} |
04dc9952 |
\item Jerome Limozin \email{<jerome*limozin.net>} |
8589f1a0 |
\item Mike Loewen \email{<mloewen*sturgeon.cac.psu.edu>}
\item Roger Lucas \email{<roger*planbit.co.uk>} |
48b7b4a7 |
\item David Luyer \email{<david\_luyer*pacific.net.au>} |
8589f1a0 |
\item Richard Lyons \email{<frob-clamav*webcentral.com.au>}
\item David S. Madole \email{<david*madole.net>}
\item Thomas Madsen \email{<tm*softcom.dk>}
\item Bill Maidment \email{<bill*maidment.com.au>}
\item Joe Maimon \email{<jmaimon*ttec.com>} |
ef1f6e71 |
\item David Majorel \email{<dm*lagoon.nc>} |
8589f1a0 |
\item Andrey V. Malyshev \email{<amal*krasn.ru>} |
48b7b4a7 |
\item Fukuda Manabu \email{<fukuda*cri-mw.co.jp>} |
8589f1a0 |
\item Stefan Martig \email{<sm*officeco.ch>}
\item Alexander Marx \email{<mad-ml*madness.at>}
\item Andreas Marx (\url{http://www.av-test.org/})
\item Chris Masters \email{<cmasters*insl.co.uk>}
\item Fletcher Mattox \email{<fletcher*cs.utexas.edu>}
\item Serhiy V. Matveyev \email{<matveyev*uatele.com>}
\item Reinhard Max \email{<max*suse.de>}
\item Brian May \email{<bam*debian.org>}
\item Ken McKittrick \email{<klmac*usadatanet.com>}
\item Chris van Meerendonk \email{<cvm*castel.nl>}
\item Andrey J. Melnikoff \email{<temnota*kmv.ru>}
\item Damian Menscher \email{<menscher*uiuc.edu>} |
73e034df |
\item Denis De Messemacker \email{<ddm*clamav.net>} |
48b7b4a7 |
\item Jasper Metselaar \email{<jasper*formmailer.net>} |
8589f1a0 |
\item Arkadiusz Miskiewicz \email{<misiek*pld-linux.org>}
\item Ted Mittelstaedt \email{<tedm*toybox.placo.com>}
\item Mark Mielke \email{<mark*mark.mielke.cc>} |
ef1f6e71 |
\item John Miller \email{<contact*glideslopesoftware.co.uk>} |
8589f1a0 |
\item Jo Mills \email{<Jonathan.Mills*frequentis.com>}
\item Dustin Mollo \email{<dustin.mollo*sonoma.edu>}
\item Remi Mommsen \email{<remigius.mommsen*cern.ch>}
\item Doug Monroe \email{<doug*planetconnect.com>}
\item Alex S Moore \email{<asmoore*edge.net>} |
ef1f6e71 |
\item Tim Morgan \email{<tim*sentinelchicken.org>} |
8589f1a0 |
\item Dirk Mueller \email{<mueller*kde.org>}
\item Flinn Mueller\email{<flinn*activeintra.net>}
\item Hendrik Muhs \email{<Hendrik.Muhs*student.uni-magdeburg.de>}
\item Simon Munton \email{<simon*munton.demon.co.uk>} |
73e034df |
\item Farit Nabiullin (\url{http://program.farit.ru/}) |
8589f1a0 |
\item Nemosoft Unv. \email{<nemosoft*smcc.demon.nl>}
\item Wojciech Noworyta \email{<wnow*konarski.edu.pl>}
\item Jorgen Norgaard \email{<jnp*anneli.dk>}
\item Fajar A. Nugraha \email{<fajar*telkom.co.id>}
\item Joe Oaks \email{<joe.oaks*hp.com>}
\item Washington Odhiambo \email{<wash*wananchi.com>}
\item Masaki Ogawa \email{<proc*mac.com>} |
5638b256 |
\item John Ogness \email{<jogness*antivir.de>} |
8589f1a0 |
\item Phil Oleson \email{<oz*nixil.net>}
\item Jan Ondrej \email{<ondrejj*salstar.sk>}
\item Martijn van Oosterhout \email{<kleptog*svana.org>}
\item OpenAntiVirus Team (\url{http://www.OpenAntiVirus.org/})
\item Tomasz Papszun \email{<tomek*lodz.tpsa.pl>}
\item Eric Parsonage \email{<eric*eparsonage.com>}
\item Oliver Paukstadt \email{<pstadt*stud.fh-heilbronn.de>}
\item Christian Pelissier \email{<Christian.Pelissier*onera.fr>} |
5638b256 |
\item Rudolph Pereira \email{<rudolph*usyd.edu.au>} |
73e034df |
\item Dennis Peterson \email{<dennispe*inetnw.com>} |
8589f1a0 |
\item Ed Phillips \email{<ed*UDel.Edu>}
\item Andreas Piesk \email{<Andreas.Piesk*heise.de>} |
04dc9952 |
\item Mark Pizzolato \email{<clamav-devel*subscriptions.pizzolato.net>} |
5638b256 |
\item Dean Plant \email{<dean.plant*roke.co.uk>} |
8589f1a0 |
\item Alex Pleiner \email{<pleiner*zeitform.de>}
\item Ant La Porte \email{<ant*dvere.net>} |
04dc9952 |
\item Jef Poskanzer \email{<jef*acme.com>} |
8589f1a0 |
\item Christophe Poujol \email{<Christophe.Poujol*atosorigin.com>}
\item Sergei Pronin \email{<sp*finndesign.fi>}
\item Thomas Quinot \email{<thomas*cuivre.fr.eu.org>}
\item Ed Ravin \email{<eravin*panix.com>} |
48b7b4a7 |
\item Robert Rebbun \email{<robert*desertsurf.com>} |
8589f1a0 |
\item Brian A. Reiter \email{<breiter*wolfereiter.com>} |
ef1f6e71 |
\item Didi Rieder \email{<adrieder*sbox.tugraz.at>}
\item Pavel V. Rochnyack \email{<rpv*fsf.tsu.ru>} |
8589f1a0 |
\item Rupert Roesler-Schmidt \email{<r.roesler-schmidt*uplink.at>}
\item David Sanchez \email{<dsanchez*veloxia.com>}
\item David Santinoli \email{<david*santinoli.com>}
\item Vijay Sarvepalli \email{<vssarvep*office.uncg.edu>}
\item Martin Schitter
\item Theo Schlossnagle \email{<jesus*omniti.com>}
\item Enrico Scholz \email{<enrico.scholz*informatik.tu-chemnitz.de>}
\item Karina Schwarz \email{<k.schwarz*uplink.at>}
\item Scsi \email{<scsi*softland.ru>}
\item Dr Matthew J Seaman \email{<m.seaman*infracaninophile.co.uk>}
\item Hector M. Rulot Segovia \email{<Hector.Rulot*uv.es>}
\item Omer Faruk Sen \email{<ofsen*enderunix.org>}
\item Sergey \email{<a\_s\_y*sama.ru>}
\item Tuomas Silen \email{<tuomas.silen*nodeta.fi>} |
48b7b4a7 |
\item David F. Skoll \email{<dfs*roaringpenguin.com>} |
8589f1a0 |
\item Al Smith \email{<ajs+clamav*aeschi.ch.eu.org>} |
5638b256 |
\item Sergey Smitienko \email{<hunter*comsys.com.ua>}
\item Solar Designer \email{<solar*openwall.com>} |
48b7b4a7 |
\item Joerg Sonnenberger \email{<joerg*britannica.bec.de>} |
73e034df |
\item Michal 'GiM' Spadlinski (\url{http://gim.org.pl/}) |
8589f1a0 |
\item Kevin Spicer \email{<kevin*kevinspicer.co.uk>} |
ef1f6e71 |
\item GertJan Spoelman \email{<cav*gjs.cc>} |
8589f1a0 |
\item Ole Stanstrup \email{<ole*stanstrup.dk>}
\item Adam Stein \email{<adam*scan.mc.xerox.com>}
\item Steve \email{<steveb*webtribe.net>}
\item Richard Stevenson \email{<richard*endace.com>} |
04dc9952 |
\item Sven Strickroth \email{<sstrickroth*gym-oha.de>} |
8589f1a0 |
\item Matt Sullivan \email{<matt*sullivan.gen.nz>}
\item Dr Zbigniew Szewczak \email{<zssz*mat.uni.torun.pl>}
\item Joe Talbott \email{<josepht*cstone.net>}
\item Gernot Tenchio \email{<g.tenchio*telco-tech.de>}
\item Masahiro Teramoto \email{<markun*onohara.to>} |
ef1f6e71 |
\item Daniel Theodoro \email{<dtheodoro*ig.com.br>} |
8589f1a0 |
\item Ryan Thompson \email{<clamav*sasknow.com>} |
48b7b4a7 |
\item Gianluigi Tiesi \email{<sherpya*netfarm.it>} |
8589f1a0 |
\item Yar Tikhiy \email{<yar*comp.chem.msu.su>} |
48b7b4a7 |
\item Andrew Toller \email{<atoller*connectfree.co.uk>} |
8589f1a0 |
\item Michael L. Torrie \email{<torriem*chem.byu.edu>}
\item Trashware \email{<trashware*gmx.net>}
\item Matthew Trent \email{<mtrent*localaccess.com>}
\item Reini Urban \email{<rurban*x-ray.at>}
\item Daniel Mario Vega \email{<dv5a*dc.uba.ar>} |
ef1f6e71 |
\item Denis Vlasenko \email{<vda*ilport.com.ua>} |
8589f1a0 |
\item Laurent Wacrenier \email{<lwa*teaser.fr>}
\item Charlie Watts \email{<cewatts*brainstorminternet.net>} |
ef1f6e71 |
\item Florian Weimer \email{<fw*deneb.enyo.de>} |
5638b256 |
\item Paul Welsh \email{<paul*welshfamily.com>} |
8589f1a0 |
\item Nicklaus Wicker \email{<n.wicker*cnk-networks.de>}
\item David Woakes \email{<david*mitredata.co.uk>}
\item Troy Wollenslegel \email{<troy*intranet.org>}
\item ST Wong \email{<st-wong*cuhk.edu.hk>}
\item Dale Woolridge \email{<dwoolridge*drh.net>}
\item David Wu \email{<dyw*iohk.com>}
\item Takumi Yamane \email{<yamtak*b-session.com>}
\item Youza Youzovic \email{<youza*post.cz>} |
48b7b4a7 |
\item Anton Yuzhaninov \email{<citrin*rambler-co.ru>} |
8589f1a0 |
\item Leonid Zeitlin \email{<lz*europe.com>}
\item ZMan Z. \email{<x86zman*go-a-way.dyndns.org>}
\item Andoni Zubimendi \email{<andoni*lpsat.net>}
\end{itemize}
\subsection{Donors}
We've received financial support from: (in alphabetical order)
\begin{itemize}
\item ActiveIntra.net Inc. (\url{http://www.activeintra.net/})
\item Advance Healthcare Group (\url{http://www.ahgl.com.au/}) |
73e034df |
\item Allied Quotes (\url{http://www.AlliedQuotes.com /}) |
8589f1a0 |
\item American Computer \& Electronic Services Corp. (\url{http://www.acesnw.com/}) |
73e034df |
\item Amnesty International, Swiss Section (\url{http://www.amnesty.ch/})
\item Steve Anderson |
8589f1a0 |
\item Anonymous donor from Colorado, US |
73e034df |
\item Arudius (\url{http://arudius.sourceforge.net/}) |
48b7b4a7 |
\item Peter Ashman |
8589f1a0 |
\item Atlas College (\url{http://www.atlascollege.nl/}) |
73e034df |
\item Australian Payday Cash Loans (\url{http://www.cashdoctors.com.au/}) |
8589f1a0 |
\item AWD Online (\url{http://www.awdonline.com/}) |
48b7b4a7 |
\item BackupAssist Backup Software (\url{http://www.backupassist.com/})
\item Dave Baker |
8589f1a0 |
\item Bear and Bear Consulting, Inc. (\url{http://www.bear-consulting.com/})
\item Aaron Begley
\item Craig H. Block
\item Norman E. Brake, Jr. |
73e034df |
\item Josh Burstyn
\item By Design (\url{http://www.by-design.net/}) |
5638b256 |
\item Canadian Web Hosting (\url{http://www.canadianwebhosting.com/}) |
8589f1a0 |
\item cedarcreeksoftware.com (\url{http://www.cedarcreeksoftware.com/}) |
73e034df |
\item Ricardo Cerqueira |
8589f1a0 |
\item Thanos Chatziathanassiou
\item Cheahch from Singapore
\item Conexim Australia - business web hosting (\url{http://www.conexim.com.au}) |
48b7b4a7 |
\item Alan Cook |
8589f1a0 |
\item Joe Cooper |
48b7b4a7 |
\item CustomLogic LLC (\url{http://www.customlogic.com/}) |
ef1f6e71 |
\item Ron DeFulio |
48b7b4a7 |
\item Digirati (\url{http://oss.digirati.com.br/}) |
8589f1a0 |
\item Steve Donegan (\url{http://www.donegan.org/})
\item Dynamic Network Services, Inc (\url{http://www.dyndns.org/}) |
5638b256 |
\item EAS Enterprises LLC |
73e034df |
\item eCoupons.com (\url{http://www.ecoupons.com/}) |
8589f1a0 |
\item Electric Embers (\url{http://electricembers.net}) |
ef1f6e71 |
\item John T. Ellis |
8589f1a0 |
\item Epublica
\item Bernhard Erdmann
\item David Eriksson (\url{http://www.2good.nu/})
\item Philip Ershler
\item Explido Software USA Inc. (\url{http://www.explido.us/})
\item David Farrick
\item Jim Feldman
\item Petr Ferschmann (\url{http://petr.ferschmann.cz/})
\item Andries Filmer (\url{http://www.netexpo.nl/})
\item The Free Shopping Cart people (\url{http://www.precisionweb.net/})
\item Paul Freeman
\item Jack Fung |
48b7b4a7 |
\item Stephen Gageby |
8589f1a0 |
\item Paolo Galeazzi
\item GANDI (\url{http://www.gandi.net/})
\item Jeremy Garcia (\url{http://www.linuxquestions.org/})
\item GBC Internet Service Center GmbH (\url{http://www.gbc.net/})
\item GCS Tech (\url{http://www.gcstech.net/})
\item GHRS (\url{http://www.ghrshotels.com/}) |
73e034df |
\item Lyle Giese |
8589f1a0 |
\item Todd Goodman
\item Bill Gradwohl (\url{http://www.ycc.com/})
\item Grain-of-Salt Consulting
\item Terje Gravvold
\item Hart Computer (\url{http://www.hart.co.jp/}) |
73e034df |
\item Pen Helm |
8589f1a0 |
\item Hosting Metro LLC (\url{http://www.hostingmetro.com/})
\item IDEAL Software GmbH (\url{http://www.IdealSoftware.com/})
\item Industry Standard Computers (\url{http://www.ISCnetwork.com/}) |
48b7b4a7 |
\item Interact2Day (\url{http://www.interact2day.com/}) |
8589f1a0 |
\item Invisik Corporation (\url{http://www.invisik.com/}) |
ef1f6e71 |
\item itXcel Internet - Domain Registration (\url{http://www.itxcel.com}) |
8589f1a0 |
\item Craig Jackson
\item Stuart Jones
\item Jason Judge
\item Keith (\url{http://www.textpad.com/}) |
48b7b4a7 |
\item Ewald Kicker (\url{http://www.very-clever.com/}) |
8589f1a0 |
\item Brad Koehn |
48b7b4a7 |
\item Christina Kuratli (\url{http://www.virusprotect.ch/}) |
8589f1a0 |
\item Logic Partners Inc. (\url{http://www.logicpartners.com/})
\item Mark Lotspaih (\url{http://www.lotcom.org/})
\item Michel Machado (\url{http://oss.digirati.com.br/})
\item Olivier Marechal |
48b7b4a7 |
\item Matthew McKenzie |
73e034df |
\item Durval Menezes (\url{http://www.durval.com.br/}) |
ef1f6e71 |
\item Micro Logic Systems (\url{http://www.mls.nc/}) |
8589f1a0 |
\item Midcoast Internet Solutions
\item Mimecast (\url{http://www.mimecast.com/})
\item Kazuhiro Miyaji
\item Bozidar Mladenovic
\item Paul Morgan
\item Tomas Morkus |
48b7b4a7 |
\item The Names Database (\url{http://static.namesdatabase.com}) |
73e034df |
\item Names Directory (\url{http://www.namesdir.com/}) |
8589f1a0 |
\item Michael Nolan (\url{http://www.michaelnolan.co.uk/}) |
48b7b4a7 |
\item Jorgen Norgaard
\item Numedeon, Inc. creators of Whyville (\url{http://www.whyville.net/}) |
8589f1a0 |
\item Oneworkspace.com (\url{http://www.oneworkspace.com/}) |
73e034df |
\item Online Literature (\url{http://www.couol.com/}) |
8589f1a0 |
\item Origin Solutions (\url{http://www.originsolutions.com.au/})
\item outermedia GmbH (\url{http://www.outermedia.de/}) |
48b7b4a7 |
\item Kevin Pang (\url{http://www.freebsdblog.org/}) |
8589f1a0 |
\item Alexander Panzhin |
48b7b4a7 |
\item Passageway Communications (\url{http://www.passageway.com})
\item Dan Pelleg (\url{http://www.libagent.org/}) |
8589f1a0 |
\item Thodoris Pitikaris
\item Paul Rantin |
5638b256 |
\item Thomas J. Raef (\url{http://www.ebasedsecurity.com}) |
8589f1a0 |
\item Luke Reeves (\url{http://www.neuro-tech.net/})
\item RHX (\url{http://www.rhx.it/})
\item Stefano Rizzetto
\item Roaring Penguin Software Inc. (\url{http://www.roaringpenguin.com/})
\item Luke Rosenthal |
73e034df |
|
8589f1a0 |
\item School of Engineering, University of Pennsylvania (\url{http://www.seas.upenn.edu/})
\item Tim Scoff
\item Seattle Server (\url{http://www.seattleserver.com/})
\item Software Workshop Inc (\url{http://www.softwareworkshop.com/})
\item Solutions In A Box (\url{http://www.siab.com.au/})
\item Stephane Rault |
48b7b4a7 |
\item SearchMain (\url{http://www.searchmain.com/})
\item Olivier Silber |
8589f1a0 |
\item Fernando Augusto Medeiros Silva (\url{http://www.linuxplace.com.br/}) |
48b7b4a7 |
\item Sollentuna Fria Gymnasium, Sweden (\url{http://www.sfg.se/}) |
8589f1a0 |
\item StarBand (\url{http://www.starband.com/}) |
5638b256 |
\item Stroke of Color, Inc. |
8589f1a0 |
\item Synchro Sistemas de Informacao (\url{http://synchro.com.br/})
\item Sahil Tandon |
48b7b4a7 |
\item The Spamex Disposable Email Address Service (\url{http://www.spamex.com}) |
8589f1a0 |
\item Brad Tarver |
48b7b4a7 |
\item TGT Tampermeier \& Grill Steuerberatungs- und Wirtschaftstreuhand OEG (\url{http://www.tgt.at/}) |
8589f1a0 |
\item Per Reedtz Thomsen
\item William Tisdale
\item Up Time Technology (\url{http://www.uptimetech.com/})
\item Ulfi
\item Jeremy Vanderburg (\url{http://www.jeremytech.com/}) |
5638b256 |
\item Web.arbyte - Online-Marketing (\url{http://www.webarbyte.de/}) |
8589f1a0 |
\item Webzone Srl (\url{http://www.webzone.it/})
\item Markus Welsch (\url{http://www.linux-corner.net/}) |
48b7b4a7 |
\item Julia White (\url{http://www.convert-tools.com/}) |
8589f1a0 |
\item Nicklaus Wicker
\item David Williams (\url{http://kayakero.net/}) |
5638b256 |
\item Glenn R Williams |
48b7b4a7 |
\item Kelly Williams |
73e034df |
\item XRoads Networks (\url{http://xroadsnetworks.com/}) |
48b7b4a7 |
\item Zimbra open-source collaboration suite (\url{http://www.zimbra.com/}) |
8589f1a0 |
\end{itemize}
\subsection{Graphics} |
73e034df |
The ClamAV logo was created by Mia Kalenius and Sergei Pronin from
Finndesign (\url{http://www.finndesign.fi/}). |
8589f1a0 |
\subsection{OpenAntiVirus} |
73e034df |
Our database includes the virus database (about 7000 signatures) from
OpenAntiVirus (\url{http://OpenAntiVirus.org}). |
8589f1a0 |
|
73e034df |
\section{Core Team} |
8589f1a0 |
\begin{itemize}
\item aCaB \email{<acab*clamav.net>}, Italy\\
Role: virus database maintainer, coder
\item Mike Cathey \email{<mike*clamav.net>}, USA\\
Role: co-sysadmin
\item Christoph Cordes \email{<ccordes*clamav.net>}, Germany\\
Role: virus database maintainer
\item Diego d'Ambra \email{<diego*clamav.net>}, Denmark\\
Role: virus database maintainer
\item Luca Gibelli \email{<luca*clamav.net>}, Italy\\
Role: sysadmin, mirror coordinator
\item Nigel Horne \email{<njh*clamav.net>}, United Kingdom\\
Role: coder
|
5638b256 |
\item Arnaud Jacques \email{<arnaud*clamav.net>}, France\\
Role: virus database maintainer
|
8589f1a0 |
\item Tomasz Kojm \email{<tkojm*clamav.net>}, Poland\\ |
73e034df |
Role: project leader, coder |
8589f1a0 |
\item Tomasz Papszun \email{<tomek*clamav.net>}, Poland\\ |
73e034df |
Role: various help |
8589f1a0 |
|
5638b256 |
\item Sven Strickroth \email{<sven*clamav.net>}, Germany\\ |
73e034df |
Role: virus database maintainer, virus submission management
\item Edwin Torok \email{<edwin*clamav.net>}, Romania\\
Role: coder |
5638b256 |
|
8589f1a0 |
\item Trog \email{<trog*clamav.net>}, United Kingdom\\ |
73e034df |
Role: coder |
8589f1a0 |
\end{itemize}
\end{document} |